Public Policy

The World Privacy Forum sent a letter to Los Angeles Mayor Villaraigosa today expressing concerns and questions about a proposed contract to move the city of Los Angeles’ email and some other computing tasks to a cloud-based system. The Forum expressed concerns in particular about the lack of contractual protection for health data, AIDs data, genetic information, domestic violence and sexual assault victim information, among other sensitive information. The Forum suggested the city undertake an independent and thorough risk assessment prior to completing the contract, and suggested a robust public comment process that includes all stakeholders. The City will take up the issue of this contract at a city council Information Technology Committee meeting on Tuesday July 21. The World Privacy Forum published a detailed analysis of the privacy issues of cloud computing in February which outlines the challenges and ambiguities that governments and others face as they make decisions about what data to put in the cloud.

Public comments re: health data breaches — The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for “limited data set” breaches.

Genetic Privacy | GINA — The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.

The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loophole in consumer protection in the regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way as to prevent information leakage through billing and other activities.

Data broker opt out issue — The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.

To score is human. Ranking individuals by grades and other performance numbers is as old as human society. Consumer scores — numbers given to individuals to describe or predict their characteristics, habits, or predilections — are a modern day numeric shorthand that ranks, separates, sifts, and otherwise categorizes individuals and also predicts their potential future actions. This new report by Pam Dixon and Robert Gellman explores this issue of predictive scores and privacy.

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. Report authors: Bob Gellman and Pam Dixon.